Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 01:58

General

  • Target

    b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c.exe

  • Size

    197KB

  • MD5

    d5dedeed045daa6f7dcdc079187b3e25

  • SHA1

    8e3f34a25da743d73f247ac6e8c01bf7de30bf61

  • SHA256

    b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c

  • SHA512

    60a193eee2700e1113131e67099ca671e33be13c8912c04186607b5bff73359650fb3339641b94d903466b7e0c3a7b7105769f2929433469ad4ce026e4bc9382

  • SSDEEP

    3072:jEGh0oKl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGwlEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c.exe
    "C:\Users\Admin\AppData\Local\Temp\b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\{91C7AC41-A405-4d13-BA53-0BC59B7634AD}.exe
      C:\Windows\{91C7AC41-A405-4d13-BA53-0BC59B7634AD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Windows\{3296C14E-EE83-4362-8465-03DEF42B46D6}.exe
        C:\Windows\{3296C14E-EE83-4362-8465-03DEF42B46D6}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\{E79DD3F3-D479-4e79-8D58-25F005F1C74E}.exe
          C:\Windows\{E79DD3F3-D479-4e79-8D58-25F005F1C74E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\{6942E11E-FCB0-4e12-96ED-4FE616E16748}.exe
            C:\Windows\{6942E11E-FCB0-4e12-96ED-4FE616E16748}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1400
            • C:\Windows\{C8A5BB9C-D226-47a4-BC70-6EAF6E6F980C}.exe
              C:\Windows\{C8A5BB9C-D226-47a4-BC70-6EAF6E6F980C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3760
              • C:\Windows\{FE7B63FD-44ED-4674-9501-6F23F03FCED7}.exe
                C:\Windows\{FE7B63FD-44ED-4674-9501-6F23F03FCED7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4280
                • C:\Windows\{FE0A042F-657A-4022-8EA2-394391E2FBE3}.exe
                  C:\Windows\{FE0A042F-657A-4022-8EA2-394391E2FBE3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3612
                  • C:\Windows\{65F001F1-377F-4537-A315-58411C9D7740}.exe
                    C:\Windows\{65F001F1-377F-4537-A315-58411C9D7740}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2448
                    • C:\Windows\{89C415AD-18EB-4acb-A818-9E8302F29405}.exe
                      C:\Windows\{89C415AD-18EB-4acb-A818-9E8302F29405}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2008
                      • C:\Windows\{4C05E68B-FB39-4fe2-A4A5-A9DB4D7F4333}.exe
                        C:\Windows\{4C05E68B-FB39-4fe2-A4A5-A9DB4D7F4333}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3140
                        • C:\Windows\{0B50FDC8-A574-462f-923A-8AB42F46E501}.exe
                          C:\Windows\{0B50FDC8-A574-462f-923A-8AB42F46E501}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2816
                          • C:\Windows\{05904DFE-59BC-400e-8D3D-41CF138B9B95}.exe
                            C:\Windows\{05904DFE-59BC-400e-8D3D-41CF138B9B95}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3284
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0B50F~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4C05E~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1992
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{89C41~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2276
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{65F00~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3736
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{FE0A0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2372
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FE7B6~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:468
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C8A5B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3036
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6942E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3596
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E79DD~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1260
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{3296C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91C7A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B64FF5~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{05904DFE-59BC-400e-8D3D-41CF138B9B95}.exe

    Filesize

    197KB

    MD5

    f4995b5fb6ef924c3c6c408e1b0c7bcf

    SHA1

    6846e1e55b8dcb0cd989e74fd9c9f114c35caa9a

    SHA256

    aa5801cd26d00a9a39de548f883ba8e664b498bc1ecaf946883b2be7ac4c8279

    SHA512

    391889da8205f04a42ed789f713a89565c8f4b9ab97111f089d88b10d17a6c292fb482650b6adbf78e466afd7f034e7e85979cd3fea7d0eda0a877a200602ecd

  • C:\Windows\{0B50FDC8-A574-462f-923A-8AB42F46E501}.exe

    Filesize

    197KB

    MD5

    b2d719a663d1d92dd50c0d7569c1b95f

    SHA1

    f23e17d90141367b9673421a22d82e4de13a24a0

    SHA256

    e76f644582e35c750b6fa73b5217b87c6cff5296357c172c162fed5089e8363b

    SHA512

    6f1251f7ef9032ff979e3ce5ff4ada29688de09779502bbcb28be264ae779185fc90d3fdf3217fc705ae8157188290ac7b81759d1cb9c0e1eb6b360adc94c902

  • C:\Windows\{3296C14E-EE83-4362-8465-03DEF42B46D6}.exe

    Filesize

    197KB

    MD5

    a63cb61301bca3777d630acbb394b4b0

    SHA1

    ede50210f0b44548797d9b794c5462ccbcbb4b28

    SHA256

    bc7aa005b4b530c1463e2e8d6ade60f74286f3df24ec9775ae5966f4948fa60e

    SHA512

    725b9a2bd7fa1e7eb232eeacc1ac9a81d92f56c534fb3b1b0e860b58bf6ec77147d1e2a32d95dc79a723dfb73b8bd9f5fcf78c6770657231aab03b11cb871172

  • C:\Windows\{4C05E68B-FB39-4fe2-A4A5-A9DB4D7F4333}.exe

    Filesize

    197KB

    MD5

    e0a776bfded16ec637eaad298c4ab7e1

    SHA1

    313896293b646382159ee4a153264c943903540c

    SHA256

    72b528cbb3b575b2fff829c0d3fd26d2bf0c28dedab8447b3fcb3be7908df30f

    SHA512

    0387d940f2038be12f04c5db9c987b68b64543a02ce33c68e3cc02a77572adda888db120cad63b0b0254121d1d829cf23f70b53cfe1a180478f7f460e5eeb819

  • C:\Windows\{65F001F1-377F-4537-A315-58411C9D7740}.exe

    Filesize

    197KB

    MD5

    f7cd4e6968c944fa1676f089c8af838a

    SHA1

    9093bdb5aea02ef936129ba9cfe0f278f719ebe0

    SHA256

    a1a65606145b68c6a389535620cd6df568e481fd3c56b8258ee034b12397d7e5

    SHA512

    dca206bb436c844cd40f5b05edcbfbf38905017efe28c40d1024d933af5760378b8a97bc9939034810cb61db245bede385b3faf14675cb8eb7fb7204b2dacd7f

  • C:\Windows\{6942E11E-FCB0-4e12-96ED-4FE616E16748}.exe

    Filesize

    197KB

    MD5

    7ff33a9ad24fcae9bbdabc43fcb01b8d

    SHA1

    c829ff64c4d234279f81279581f7485d0051bc64

    SHA256

    c897a38175409d7c00c5674f05922b612a4a48db99d2a3a8c9d81e900a4c1bd2

    SHA512

    fc48f38c7392a009c8ff77f835350f60a0e96cfb79dd5ab29e5f7920ac7375aeb387e6f8b5710b17484d9b088ac1f1410037ab9180fb1c04278a58f3b4ca26a1

  • C:\Windows\{89C415AD-18EB-4acb-A818-9E8302F29405}.exe

    Filesize

    197KB

    MD5

    7c8a08145c23139bb9d3242837695f2e

    SHA1

    8facab46509c01334f63294cd95ff578d367942f

    SHA256

    b3100f9bc8742869d8bcaea058d7c4f1562e233af83f202fbbb0ccf988568cce

    SHA512

    d6bb33e701a7ad81929dbd2afe452614757a0c22ff69ed6981791d16fb825cb0cd9fa62a03dde6a0364d7a2d97b262d24585f6f63cce034978279e62179bfe2f

  • C:\Windows\{91C7AC41-A405-4d13-BA53-0BC59B7634AD}.exe

    Filesize

    197KB

    MD5

    89a9b353b3a92591f660b02d39fddb42

    SHA1

    c159ac312a156f83126a4cdc0dd90c8cbd036463

    SHA256

    d03196be971189a46e631468e1cbd42de1ba8239611edcf5e2efb45c463696ae

    SHA512

    06ec5b21a27e4b0ea85be016978e9fa9be0f432dd589c1ee07e28b04417e144fb6d23b281833c0acd6c1cd16477a43f75580826eab49115904077d91e729b501

  • C:\Windows\{C8A5BB9C-D226-47a4-BC70-6EAF6E6F980C}.exe

    Filesize

    197KB

    MD5

    5bd196219aabf6d7cc0d5c99db1d9a22

    SHA1

    4a7d63fe94e3a69322d05b293d3e2ab00bac1b57

    SHA256

    c8cb6318488c341d1cad257a374b6da3657fcaced78d006c6eb6d4ce51ec5d3a

    SHA512

    afae6739bce96a48cbd36768297f3910e660d6b9db62ab616500a9e543199d94f51dd6af29a0b1bd5eacf9b8afce9d5f5bb7fcd5ed8dcbd31954c2dba3848933

  • C:\Windows\{E79DD3F3-D479-4e79-8D58-25F005F1C74E}.exe

    Filesize

    197KB

    MD5

    30de30d0057a794034ca24584857fc53

    SHA1

    92fbf85bdea0ad1cd6b95df3603abf788842766b

    SHA256

    965c31db1c7eb0c6b94df047ce301a2fb44acf78c27f5280cc7d2fd08c9fd9e1

    SHA512

    891250958ae53471daf46370b8a02aba9e84ec4dccb929e22c571d828f80f5a5d18aec0b97b2e530036d573f9c73d298fcef1031a355fa4c285e5268a4bc648c

  • C:\Windows\{FE0A042F-657A-4022-8EA2-394391E2FBE3}.exe

    Filesize

    197KB

    MD5

    9f13873ad314516a6f7d89bce0632e9f

    SHA1

    5e94da2e3483d6b590eb317509003276ee6a3c2c

    SHA256

    bbbb761b6be522a0a5026dffd4fcd5580be82e9c46873140750414b3b4d4830c

    SHA512

    baf18ea7b7511eea4d7693d559d38e4e3b1c9944172b9753d7dff9febcba52d04fa77ae629d2e734244fd474e851cdcb8ccf9115c0051abca6e0d1f9243f315a

  • C:\Windows\{FE7B63FD-44ED-4674-9501-6F23F03FCED7}.exe

    Filesize

    197KB

    MD5

    5de95fc933b37fc190dc1addfb9660ce

    SHA1

    9ba186107e2e69a67302998d7dd8d987586a9851

    SHA256

    18529cfd66aaefcdd1624428109b913b96cd4de3ddbf4c6f18a952dec7a53991

    SHA512

    1b36dd5555651f604c47f1f60d01cc908c890b13f518c1eea3f541a59a3f45981559c955adc0a506adb07b36955268de43a35225c2c971fe564f1b140008a0e1